Magento 2 Web Security Module

• Admin can enable the unrecognized login notification.
• Master Password feature to block all sub-users accounts.
• Allow admin to get each file upload notification in the system.
• Admin can prevent file types to be upload.
• Ban any country from login into the admin panel.
• Admin can prevent the admin panel from Brute Force attack.
• Brute force logs available to admin.
• Admin blacklist/whitelist IPs.
• AbuseIPDB integrated to block and report IP.
• Mailboxlayer integrated to validate emails for customers.
• Admin can enable real-time email validation for customers.
• Admin is allowed to create custom email templates for each action.

Customers will get a zip folder and they have to extract the contents of this zip folder on their system. The extracted folder has an src folder, inside the src folder you have the app folder. You need to transfer this app folder into the Magento2 root directory on the server as shown below.

After the successful installation, you have to run these commands in the Magento2 root directory.

First Command –

php bin/magento setup:upgrade

Second Command –

php bin/magento setup:di:compile

Third Command –

php bin/magento setup:static-content:deploy

After running the commands, you have to flush the cache from the Magento admin panel by navigating through->System->Cache management as shown below.

Multilingual Support

For the multilingual support, the admin will navigate through Store->Configuration->General ->Locale Options and select the locale as German (the language into which admin want to translate his store content).

Module Translation

If you want to translate their module language from English to German then follow the path src/app/code/Webkul/WebApplicationFirewall/i18n in their unzipped Magento2_customer_credit_system folder. Then you will get a CSV file with the name “en_US.csv”.

Now, rename that CSV as to your region code and language code “de_DE.csv” and translate all right side content in your language.

After editing the CSV, save it and then upload it where you have installed Magento 2 on the server.

The module will get translated into your desired Language. It also supports RTL and LTR languages.

The admin needs to configure the following sections as mentioned below to integrate the web application firewall into the Magento 2 website.

Under the general setting section, the admin will configure the following fields:

1. Enable Magento Security: The admin needs to select “Yes” for enabling the following Magneto 2 Security.
2. Get Alerts about Unrecognized Admin Logins: The admin will get alerts each time admin logins through unrecognized means.
3. Select CMS Page for Blocked IPs: The admin can select the CMS pages for IPs that are blocked by the user.

Send Password Reset Request

If the admin selects this option, all the sub-admin or users will be blocked and will be shared an email with the reset password link.

The admin will be able to secure the website from malicious files by configuring the following as mentioned below.

1. Get Notification if Any File Uploads by Magento: The admin will get the notification for all the files uploaded on the Magento website.
2. Prevent Uploading File With Extension(s): Add the extensions that you want to prevent uploading on your website or want to get a notification for after the upload.
3. Receive File Malicious Notification on Email Address: Set the Email Address on which the notification will be shared when the malicious file is uploaded.

The admin can even configure to ban the country where the admin panel will not be accessible as mentioned below.

1. Enable: The admin can enable or disable this country ban functionality.
2. Select Specific Countries: If enabled, the admin can select the country for which ban will be enabled.

The admin will be able to configure the whitelisted and blacklisted IPs through the following fields as mentioned below.

1. Blacklist IP(s): The admin will be able to list all the blacklisted IPs by mentioning them in the following section. The admin can even block IPs for the complete classes like 192.168.1.*, 101.22.*.*
2. Whitelist IP(s): The admin will be able to list all the whitelisted IPs by mentioning them in the following section. The admin can even whitelist IPs for the complete classes like 192.168.1.*, 101.22.*.*
3. Enable IP Debug Log: The admin will be able to maintain the debug logs for enabling IP.

Frontend Two Step Authentication

This functionality will allow the store owner to have two-step authentication for the login. The admin will be able to configure the following module:

1. Enable Google Two Factor Auth: The admin can enable or disable the two-factor authentication.
2. Enable “trust this device” option: If this option is enabled then you can set the trust device option.

Note: The trust this device will work with the HTTPS website only.

The admin can configure the website against proxy login attacks by configuring the following sections as mentioned below.

1. Enable: The admin enable or disable the proxy login or brute force
2. Send Warning Emails To: Add the email address to which warning emails will be shared.
3. Send Alert on Each Login Failed: To receive alerts on every failed login.
4. Admin User Locked Alert: If enabled, the admin can send alert mail when an admin user is locked(Admin User Lock Setting: Advanced->Admin->Security)

The admin can report IP abuse through the following module by configuring as mentioned below.

1. Activate: The admin needs to activate the following section.
2. API Key: Please add the API Key that you will get on creating the account on Abuse IPDB.
3. Max Days: Enter the number of days between 1-365 to determines how far back in time we go to fetch reports.
4. Report IPs If Brute Force Attempt Detected: If the proxy login attack is detected then the IP will be auto reported if enabled.
5. Block IP Based on Abuse Confidence Score: The admin can enable IP block based on the confidence score of the abuse.
6. Block IPs If Minimum Abuse Confidence Score: The admin can define the fixed score as to above which IP will be rejected.

Note: You need to signup for the Abuse IPDB and select a suitable plan. To know more, please visit the following link: HERE

The admin can enable the mailbox real-time layered email address verification

1. API Key: The admin can add the API keys as fetched on creating the account at mailboxlayer.com
2. Enable for Customer: The admin can set the following mailbox to be enabled at the customer end.

Note: You need to select the plan for the MailBox layer. To know more visit the following link: HERE

The admin can set different templates that will be shared with the sub-user and admin in the following scenario as mentioned below.

The admin can select the sender to whom the notification will be shared and assign different template for different scenarios.

All the admin’s login logs will be displayed under the following section as shown in the image below.

The admin will be able to identify the Magento store is on Production, Developer, and Default mode.

The admin needs to select the server hosting whether shared or private and based on the same the directories will be visible as shown in the image below.

The admin will be able to view all the files and their permission. The admin will get the status error if the permission is not ideal.

This will help the admin to optimize the file permissions and protect the websites for any vulnerability of the site.

This section will display all the brute force login logs so that the store owner can view all the IP and their login URL, browser and even the login time details can be fetched.

This will help the admin to detect the frauds and can even report them or can blocklist the frauds.

If the mailbox real-time layered email address verification is enabled for the customer then the customers have to enter a valid email address during registration.

If the valid email address is not added, the following error message will be displayed as shown in the image below.

If the admin enables the two-factor authentication then each time the customer will log in an OTP generated through the Google Authenticator is needed to be input for the login.

After the first time registration, the customer will navigate to the dashboard where the customer will register for two-step authentication as shown in the image below.